Snort mailing list archives
Re: Functional Rule-chain?
From: Joel Esler <jesler () sourcefire com>
Date: Tue, 15 Jun 2010 11:42:45 -0400
Parker, I'm sure VRT will look into this, however, just an FYI. If you use PulledPork to update rules, PulledPork will autoresolve all the flowbit dependancies for you. J On Jun 15, 2010, at 9:36 AM, Crook, Parker wrote:
Howdy all, I was doing some standard performance tuning on my ruleset and noticed a particular oddity the other day. I noticed rule 1:3819 spending a fair amount of time on a decent number of checks with no matches. So I opened up rule 3819 and noticed it is just a “flowbits:set, chm_content_type; flowbits:noalert” rule for use by rule 3820. So I took a look at 3820 and it is disabled by default. So my question is: why is 3819 on by default when all it does is set a flag for use by 3820, which is off by default?
-- Joel Esler
------------------------------------------------------------------------------ ThinkGeek and WIRED's GeekDad team up for the Ultimate GeekDad Father's Day Giveaway. ONE MASSIVE PRIZE to the lucky parental unit. See the prize list and enter to win: http://p.sf.net/sfu/thinkgeek-promo
_______________________________________________ Snort-sigs mailing list Snort-sigs () lists sourceforge net https://lists.sourceforge.net/lists/listinfo/snort-sigs
Current thread:
- Functional Rule-chain? Crook, Parker (Jun 15)
- Re: Functional Rule-chain? Joel Esler (Jun 15)